transmits the original username and password to the organization’s own Web servers, where the login process can proceed as usual. If the confidence score isn’t high enough, the user may be asked to type their username and password again, or to answer a pre-arranged security question (e.g. “Name your favorite flavor of ice cream”). Alternatively, the system might grant limited access, restricting users to non-sensitive areas of a company intranet, for example.
Delfigo’s software can also raise or lower the threshold that the confidence score must meet depending on additional factors such as the time of day or the location from which the user is trying to login. If you’re trying to log in at 3:00 a.m. from a building you don’t normally work in, for example, the system may require a higher confidence score before it will let you in.
But the core of the system is the keyboard-based biometric measurement, which, according to Rodriguez, draws on two decades of research on at places like IBM, SRI, and MIT showing that each computer user has a consistent typing style that is nearly as unique as their fingerprint or iris scan.
But if the science has been understood for so long, why hasn’t this form of multi-factor authentication been used before? It’s all a matter of browser technology, according to Rodriguez. “It’s only when you have the ability to use what everyone has in 2009—a sophisticated browser—that we are finally able to use the [computer power] under the cover of the browser as a toolkit to capture these electrical signals,” he says.
Companies don’t have to install any software to use Delfigo’s Software-as-a-Service technology as a gatekeeper to their systems. And Delfigo never sees the actual usernames and passwords, whose alphanumeric values are masked until a user clears the confidence threshold; it’s the dwell times and flight times that matter.
Rodriguez thinks the system will appeal to banks, hospitals, financial services companies, e-commerce companies, and any other organization with a requirement for strong authentication. “There’s an opportunity for us to replace the difficulty and the expense of token-based security,” he says.
He didn’t anticipate, however, that a healthcare organization would be his first big client. “I wish I’d been that insightful, but it only became a serious issue for healthcare when everyone started talking about electronic medical records and having different tiers of access,” Rodriguez says. “Dr. Lock is really a visionary who wanted to think through how he would deploy his own vision of providing access to hospital data to outside hospitals who don’t have that same level of sophistication [as Children’s Hospital].”
